DeSIA: Attribute Inference Attacks Against Limited Fixed Aggregate Statistics

TL;DR

This paper introduces DeSIA, a novel attribute inference attack targeting limited fixed aggregate statistics, demonstrating significant privacy risks even with minimal data release and highlighting the need for formal privacy protections.

Contribution

DeSIA is a new inference attack framework that effectively infers user attributes from limited aggregate data, outperforming existing reconstruction methods and adaptable to membership inference.

Findings

DeSIA achieves a true positive rate of 0.14 at a false positive rate of 0.001.

Aggregation alone does not sufficiently protect privacy with few released statistics.

DeSIA performs well against unverifiable attributes and varying noise levels.

Abstract

Empirical inference attacks are a popular approach for evaluating the privacy risk of data release mechanisms in practice. While an active attack literature exists to evaluate machine learning models or synthetic data release, we currently lack comparable methods for fixed aggregate statistics, in particular when only a limited number of statistics are released. We here propose an inference attack framework against fixed aggregate statistics and an attribute inference attack called DeSIA. We instantiate DeSIA against the U.S. Census PPMF dataset and show it to strongly outperform reconstruction-based attacks. In particular, we show DeSIA to be highly effective at identifying vulnerable users, achieving a true positive rate of 0.14 at a false positive rate of $10^{-3}$. We then show DeSIA to perform well against users whose attributes cannot be verified and when varying the number of aggregate statistics and level of noise addition. We also perform an extensive ablation study of DeSIA and show how DeSIA can be successfully adapted to the membership inference task. Overall, our results show that aggregation alone is not sufficient to protect privacy, even when a relatively small number of aggregates are being released, and emphasize the need for formal privacy mechanisms and testing before aggregate statistics are released.